Secure Printing FAQ

In public cloud, all communication uses HTTPS/TLS; print tasks use pdf_uri transfer, server does not store PDF binaries long-term; supports one-time download links, which expire immediately after client first fetch, reducing link leakage risk.

One-time links prevent "old links being reused": after legitimate client consumes it once, subsequent access to same link fails. Old links in logs/screenshots/tickets cannot download document again. However, this is still a server-side policy, not zero-knowledge.

Current: E2EE not yet live. Current security model is "In-transit encryption + One-time links + Access control".

Roadmap: Introduce End-to-End Encrypted Printing Protocol. Each terminal generates key pair, server only stores session key & encrypted PDF encrypted by terminal public key. Private key stays on terminal, platform cannot technically decrypt. Goal: Even if platform modifies code, document content remains unseen.

Traditional security policies are written in server code, operators can adjust anytime. True Zero Knowledge relies on E2EE where keys exist only on endpoints. Our design philosophy assumes platform should not be fully trusted; key control remains on terminal side, so even if platform changes personnel or faces pressure, decryption is impossible.

Planned "Mandatory E2EE Mode": only accepts tasks with encryption metadata, rejecting plaintext or downgrade. Core encryption protocol will be open sourced with reproducible builds, supporting binary verification; private keys generated/stored only on terminal (OS KeyStore/Hardware Token), never uploaded to server.

Large Enterprise: Entire printing cloud deployed in own Odoo/infrastructure, data stays on customer side, platform only provides code & support.

Small Customers (Public Cloud): Odoo + Printing Cloud hosted by us, multi-tenant; current security via TLS + One-time links + Short-term storage; future E2EE support, making cloud only a carrier for ciphertext & scheduling.

If you have ops capabilities and high compliance needs (Finance/Medical/Manufacturing), choose Private Deployment for full control.

For cost & convenience, use Public Cloud, enabling E2EE as needed. Both models share same protocol and product line, low migration cost.

Windows

1. Download and install official PrintNode Client: Official Download
2. Close the client after installation.
3. Download and run patch: Windows Patch
4. Reopen client, login with portal account.

macOS

1. Download and install official PrintNode Client: Official Download
2. Run patch script in terminal: Please get link from Portal / My Account / Print Management
3. Reopen client, login with portal account.

Each account can bind a subscription plan, including validity period and page quota. Quota counts by page by default (extensible by job).

When quota is exhausted, print requests will be rejected and a friendly notification will pop up, guiding to renew or purchase more pages; no red error screen will appear.

You can view/reset API Key, devices, printers and subscription balance on Portal Print Agent page, or create/adjust subscription for account in backend.

The patch connects official PrintNode client to this printing cloud, and enables secure print logic (pdf_uri + one-time link).

In public cloud mode, you can enable secure printing in printnode_base settings, client receives one-time download URL, invalid after first use, server won't hold PDF binary long-term.

Compatible with official PrintNode API: Old clients can continue using API Key; New clients can login with Odoo portal email+password and auto generate/reuse account & API Key.

Device, printer sync follows PrintNode style, whoami / printers / computers / printjobs interfaces are compatible, low migration cost.